You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

AD-Assurance Notes from April 5

David Walker, InCommon/Internet2
Brian Arkills, UWash
Michael Brogan, UWash 
Jeff Capehart, UFL 
Ron Thielen, UChicago 
Joe Streeter, UW Madison 
Eric Coleman, University of Illinois 
Jeff Whitworth, UNC-Greensboro
Mark Rank, UCSF
Ann West, InCommon/Internet2 

Next Call

April 12 at Noon ET
+1-734-615-7474 PREFERRED
+1-866-411-0013
0195240#
Agenda: Updates to AIs

Action Items

- Michael to update the table to reflect LDAP (SSL/TLS), Kerberos and protected channels guidance by citing it once in the matrix and using footnotes where later applicable. 
- ALL review the matrix with an eye to our two use cases highlighted in the scoping doc: AD as a verifier and AD as a provisioned copy of the credentials but not acting as the IdP's verifier.
- Brian will update 4.2.5.1.
- All - Do we want to compare Kerberos5 with MS AD Kerb?
- Jeff W will update 4.2.5.2

Cookbook Todo List

Add guidance about methods to prevent transient password exposure.

Notes

NASA Questions

The subgroup will be meeting with NASA on April 17th. What should be the focus of the conversation: Do they support LoA 2 or higher with AD? If so how? 

Notes approved.

Action Item Updates

David's AM Abstract - InC AM process meant to address alternative ways of meeting the specific criterion of the IAP, so one can't submit a general AM that covers multiple criteria. Need an AM proposal for the specific item, but we can introduce this notion of checking non-compliant behavior in a timely manner when it is found. 

Michael's updates re: LDAP (SSL/TLS), Kerberos and protected channels - This information will be duplicated across the table. How should we document it? Add it to the first cell and then refer to it with the footnote. M to update the table to reflect this approach for these topics.  

Matrix

ALL - We need to review the matrix with an eye to our two use cases highlighted in the scoping doc: AD as a verifier and AD as a provisioned copy of the credentials but not acting as the IdP's verifier. 

4.2.5.1 - Resist Replay Attack - This is a passive listening attack where the bad guy is just replaying a hash or another credential as-is to access the target. This doesn't give you anything to make an identity assertion. Where AD fits into IdMS and IdP is really important: If it acts as a verifier for the IdP or is storing the same password that the IdP verifier uses, then there are issues. Otherwise, it doesn't apply and there are no gaps. 

AI - Brian will update this section. 

4.2.5.2  - Resist Eavesdropper Attack - This active attack involves capturing the credential, decrypting it, and using it to gain access. Eavesdropping on one-time used token (Kerberos) is lower risk than a multiple-use password. Kerberos by the use of tickets is not vulnerable to eavesdropper attack. AI - All - Do we want to compare Kerberos5 with MS AD Kerb? 

Discussed the term impractical defined in 800-63: requires password that takes at least 2^80 cryptographic operations to crack it. 13 character password is 2^85.

AI - Jeff W. will update this section.

  • No labels